A hacker known by the alias EncryptHub (also known as LARVA-208 and Water Gamayun) compromised the early access game Chemia on Steam to distribute an infostealer among users.
Chemia is a survival crafting game currently being developed by Aether Forge Studios. The game is available in early access, and the date for its full release has not yet been announced.
Researchers from Prodaft discovered that the compromise of Chemia occurred on July 22, 2025, when EncryptHub added the HijackLoader malware (CVKRUTNP.exe) to the game files. This malware persists on the victim’s machine and downloads the Vidar infostealer (v9d9d.exe). According to experts, the malware retrieves the address of the command server via a Telegram channel.
Three hours after the first malware was added to Chemia, a DLL file (cclib.dll) containing the second malicious program, Fickle Stealer, was injected. This file uses PowerShell (worker.ps1) to retrieve the main payload from the site soft-gets[.]com.
The Fickle stealer captures data stored in victims’ browsers, including credentials, autofill information, cookies, and cryptocurrency wallet data.
“The compromised executable file appears legitimate to users downloading it from Steam, which adds an element of social engineering to the attack that relies on trust in the platform rather than traditional methods of deception,” say Prodaft. “When users click on the Playtest of this game, found among other free games, they are actually downloading malware.”
Experts remind us that last year EncryptHub used this same malware in a large-scale phishing campaign involving social engineering, which resulted in the hacking of over 600 organizations worldwide.
Prodaft emphasizes that the malware operates in the background and does not affect the game’s performance, so Chemia users might not even suspect a compromise. At the time of writing, the game was still available on Steam.
At the moment, it remains unclear how exactly EncryptHub managed to inject malicious files into Chemia. One theory suggests that an insider may have assisted him. The game developers have not yet made any official statements on their Steam page or social media platforms.
This is already the third case this year involving the discovery of malware on Steam. Earlier this year, malicious games Sniper: Phantom’s Resolution and PirateFi were removed from the platform. Just like Chemia, these games were in early access.
It is worth noting that in the spring of 2025, experts from the Swedish cybersecurity company Outpost24 KrakenLabs published a comprehensive report focused on the figure of EncryptHub. At that time, analysts concluded that he is both a cybercriminal and a bug hunter. The fact is that EncryptHub not only engages in hacking activities but also works as a freelance developer, and recently went as far as responsibly notifying Microsoft about two zero-day vulnerabilities in Windows.
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →